Commit graph

197 commits

Author SHA1 Message Date
f59b00a23d desktop: rename gnome.nix → desktop.nix; switch to nemo
- Rename settings/gnome.nix to settings/desktop.nix (file no longer
  has anything to do with GNOME)
- Replace nautilus with nemo — starts fast, has a hamburger menu,
  no Tracker3/Mutter D-Bus dependencies
- Exclude thunar (pulled in by XFCE) via environment.xfce.excludePackages
- Remove nautilus Tracker dconf workaround (no longer needed)
- Update $mod+E keybind and common.nix import accordingly

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 17:50:01 +01:00
b6eb5c055d services: add code-server web IDE at code.nordhammer.it
Deploys code-server on FredOS-Mediaserver (port 4444, user fred) with
Authelia one_factor auth and nginx reverse proxy. Includes claude-code
in system packages for use in the integrated terminal.

Also fixes anyrun launcher width to absolute 350px (was a tiny fraction).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-16 10:59:35 +01:00
ceebf1b3ee 2026-05-15 22:11:57 +01:00
f8417a5f64 2026-05-15 20:20:35 +01:00
5f01f22088 2026-05-15 12:17:12 +01:00
e1fbff024b 2026-05-14 14:46:31 +01:00
34e32e7ce4 Remove shitty ollama. 2026-05-13 10:24:14 +01:00
505a50bf74 Adding ollama to server. 2026-05-12 13:34:07 +01:00
1bf08d2097 stylix: full migration off matugen
Flips stylix.autoEnable on so every supported target picks up colours
from the wallpaper-derived base16 palette, and tears out the per-app
matugen plumbing it replaces:

- fred.nix: drop the matugen config.toml block and the .keep files;
  move btop and ghostty to programs.* with the colour-bearing options
  removed (stylix owns those).
- gnome.nix: remove the matugen and jq packages, the hand-written
  gtk.css home.file overrides (replaced by gtk.gtk{3,4}.extraCss layered
  on top of stylix's theme), the WallpaperShell user-themes override,
  and the gtk-theme/cursor-theme/accent-color dconf entries that stylix
  now writes.
- stylix.nix: add a home.activation hook that recolours Adwaita folder
  SVGs using stylix.colors.base0D and pulls in Papirus mimetypes —
  same outcome as the old matugen post-hook but driven by stylix.
- common.nix: drop the matugen invocation from the `update` alias.

Leftover matugen-only behaviour intentionally dropped: Vesktop CSS,
the GNOME accent hue-mapping, the VSCodium colour-merge (stylix's
vscode target handles that natively). Templates in templates/ are kept
on disk for now; can be removed in a follow-up.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-11 19:44:19 +01:00
cc4216117a stylix: phase 1 — add input and target waybar/fuzzel/mako/hyprlock/hyprland
Adds nix-community/stylix on its release-25.11 branch (master references
options that don't exist in 25.11's nixpkgs). autoEnable=false so
matugen keeps owning every app it currently themes; we only opt in to
the five targets matugen doesn't cover.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-11 13:32:18 +01:00
61981995ec hyprland: scaffold tiling-first session on FredOS-Gaming
Adds settings/hyprland.nix as a sibling to the GNOME module, gated to
the Gaming host. GDM picks up the new session entry automatically; GNOME
remains the default and can be reselected at login.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-10 20:03:43 +01:00
0c1b23337f Revert "libvirtd: KVM stack on FredOS-Gaming for Win11 guest"
This reverts db69615. Not pursuing the Windows-VM workaround for the DR
client mod after all. The server-side AdminCommandHandler exposes a
LevelSelf channel that bypasses the DLL flow entirely, which is a
better path than running a whole guest OS for one game.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-07 14:27:35 +01:00
db69615506 libvirtd: KVM stack on FredOS-Gaming for Win11 guest
Adds libvirtd + virt-manager + OVMFFull (UEFI w/ Secure Boot) + swtpm
(software TPM 2.0) so a Windows 11 VM can install. Brings in virtio-win
ISO for guest drivers and virt-viewer for SPICE console. Adds fred to
the libvirtd group.

Reason: the Dungeon Runners client-side mod (DSOUND.dll inline-hook
trampolines + memory scanner) crashes wine with a guard-page violation
on init regardless of Proton vintage; the only realistic path for
character progression is to run the client on real Windows.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-07 12:00:22 +01:00
8b83cf9bfb dr-server: run Dungeon Runners Reborn headless under Wine
New service module on FredOS-Mediaserver that launches the friend's
Windows-only Unity server (DR_Server.exe -batchmode -nographics) in a
Win64 wine prefix. wineboot initializes the prefix on first start.
Opens auth/game/queue ports 2110, 2603-2606 (TCP+UDP).

Build files staged separately at ~/dr-server-build on the server;
sudo-move into /var/lib/dr-server/Build after the rebuild.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-07 09:40:42 +01:00
0e672afa68 common: add dnsutils for ad-hoc DNS debugging
Same rationale as jq — useful when poking at the AdGuard / DNS path
during incidents, no package on the system currently provides dig/host.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-06 13:16:16 +01:00
f1eb467fd4 common: drop redundant build step from update alias
`nixos-rebuild switch` already builds — the prior `build && switch`
chain made nix evaluate the flake twice and pushed a second
empty-tree nom render to the terminal. With one switch, the nom
output stays clean: single dependency graph, then activation, then nvd.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-05 16:20:06 +01:00
2ea40eb22c common: install jq globally
Useful for ad-hoc shell scripts (e.g. downloads-cleanup.sh) — already a
build-time dep of arr-interconnect, just wasn't on the user PATH.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-04 20:08:15 +01:00
287053b909 common: wire nix-output-monitor into the update alias
Adds nix-output-monitor to systemPackages and pipes nixos-rebuild's
internal-json log stream through `nom --json` for both the build and
switch steps. set -o pipefail at the top so a failed rebuild aborts the
chain (otherwise && only sees nom's exit code, which is always 0).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-04 19:58:49 +01:00
d4ab29699a Update common.nix 2026-05-04 01:38:14 -07:00
29e1185694 runner: add Forgejo Actions runner on the mediaserver
Adds services/forgejo-runner.nix as a host-gated module on the mediaserver
and switches the flake-update workflow from runs-on: ubuntu-latest to the
self-hosted fred-nix label, mapped to catthehacker/ubuntu:act-latest for
GitHub-action compatibility. Token lives at /var/secrets/forgejo-runner-token
so it stays out of the Nix store.

Also drops the stray result/ build symlink from the worktree.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 15:58:28 +01:00
4683d6953f common: point update alias at Forgejo
Migrating origin from GitHub to a private Forgejo repo at
forg.gregersen.it/rope/nixos. Each host needs the PAT in /root/.git-credentials
(host-local state, set up manually since the repo isn't publicly readable).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 15:35:07 +01:00
c1094e7352 Fix proton-vpn rename on Gaming, restore zramSwap
The 25.11 channel renamed proton-vpn to protonvpn-gui; Macbook was
patched in an earlier commit but Gaming wasn't, breaking the build.

zramSwap goes back into common.nix as the cheap OOM-during-uncached-build
safety net — even on stable, --refresh against a freshly-bumped lock can
trigger local builds the box has no swap to absorb.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-01 13:38:27 +01:00
695ac75daf
Update common.nix
removed some AI crap that's no longer needed on stable.
2026-05-01 11:00:57 +01:00
a9649be705 profilarr: swap recyclarr for Dictionarry's Profilarr
Profilarr replaces the recyclarr/TRaSH-Guides flow with a stateful web
service that owns *arr profiles end-to-end via its own UI. Runs as an
oci-container on 127.0.0.1:6868, fronted by nginx at
profilarr.nordhammer.it behind Authelia (one_factor).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-30 20:00:33 +01:00
17ea72e2ed common: drop --source-color-index from matugen update alias
The flag was removed in matugen 3.x; the call now exits with an arg
parse error on every update (caught by '|| true' but noisy). matugen
picks a sensible source color by default, so we just drop the flag.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-29 20:17:01 +01:00
34a45af357 flake: split mediaserver onto nixos-25.11, keep desktops on unstable
The mediaserver kept hard-freezing on local builds (gnupg, openldap,
deno/rusty-v8) whenever a fresh unstable revision outran Hydra's
binary cache. It doesn't need bleeding-edge packages — every service
it runs is mature enough that 6-month-old versions are fine — so move
it onto the stable channel where the cache is essentially always
warm. Gaming and Macbook stay on unstable for fresh GPU/kernel work.

Implementation: add nixpkgs-stable + home-manager-stable inputs,
parameterise mkHost to accept a (nixpkgs, home-manager) pair.

Drive-by:
- Switch homepage.nix from environmentFiles (plural, unstable-only)
  to environmentFile (singular, present on both channels).
- Gate the openldap-skip-tests overlay to non-mediaserver hosts so
  it doesn't force a local rebuild on stable, where openldap is
  always cached.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-29 13:26:07 +01:00
057d24517f common: cap parallel builds + zramSwap to survive local rebuild storms
The mediaserver (56 cores, 31 GiB RAM, no swap) was hard-freezing on
local builds of gnupg/openldap because Nix defaulted max-jobs=auto and
launched ~56 parallel gcc compilations, blowing past available memory
and OOM-stalling AdGuard.

Cap parallelism (max-jobs=4, cores=8 per build) and add zramSwap as a
compressed in-memory safety net so a build storm can't take services
with it.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-29 11:57:40 +01:00
70ee0fc811 common: cap nix-daemon CPUWeight at 50 to keep services responsive
Heavy local builds (gnupg/openldap checkPhase under a freshly-bumped
nixpkgs lock) were saturating CPU and starving AdGuard on the
mediaserver, making DNS effectively unresponsive until the build
finished or got cancelled.

Halving the daemon's CPU share leaves headroom for latency-sensitive
services without meaningfully slowing builds on an otherwise idle box.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-29 11:17:51 +01:00
e99bc7cc9b recyclarr: add weekly TRaSH-Guide profile sync for Sonarr & Radarr
Score-based release filtering replaces the brittle "minimum size" approach
— good HEVC encodes from reputable groups now win regardless of file
size, while obfuscated/no-group/lazy-x265 garbage gets banned.

Profiles installed:
  Sonarr: WEB-1080p (default), UHD Bluray + WEB (per-show opt-in)
  Radarr: HD Bluray + WEB (default), UHD Bluray + WEB (per-movie opt-in)

AV1 is banned across all four profiles since the GPU lacks hardware
decode. API keys are extracted at runtime from each *arr's config.xml,
matching the arr-interconnect pattern.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-29 10:31:09 +01:00
336d9df6a6 common: skip openldap test phase as temp workaround
test017-syncreplication-refresh is timing-flaky and fails reliably on
local builds when Hydra's binary cache hasn't yet served the upstream
artifact. Overlay sets doCheck=false so the build can proceed. Remove
once the substituter catches up to the pinned nixpkgs revision.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-28 13:01:07 +01:00
a124f314d9 common: bake --impure into update alias
CrowdSec reads the ntfy topic URL from /var/secrets/ntfy-url at eval
time via builtins.readFile. Pure flake mode forbids reading paths
outside the source tree, so without --impure the read silently falls
through to the placeholder URL on every rebuild. Adding --impure to
both build and switch keeps the secret-file pattern working.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-26 19:35:32 +01:00
525147aa61 fail2ban: remove — superseded by CrowdSec
CrowdSec covers the same surface (sshd, authelia, nginx, *arr apps,
qBit) with the addition of community-sourced threat intel and ntfy
push alerts. Keeping both was redundant. State at /var/lib/fail2ban
will sit unused until cleaned up by hand.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-26 19:26:24 +01:00
7ec6146917 crowdsec: add community IDS/IPS with ntfy push alerts
Enables the CrowdSec agent with sshd/nginx/http-cve hub collections,
acquires logs from nginx, sshd, and Authelia journald, and wires the
firewall bouncer to enforce bans via nftables. Alerts are POSTed to a
self-chosen ntfy.sh topic (URL read from /var/secrets/ntfy-url, falls
back to a placeholder so the repo stays eval-clean without the secret).

Module is self-contained — remove the file + import to uninstall; state
lives under /var/lib/crowdsec.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-24 22:30:16 +01:00
77eafded92 Turn mediaserver into a home router
Adds services/router.nix with systemd-networkd (eno1=WAN via DHCP,
eth0=LAN 10.0.0.1/24), nftables (NAT + firewall, default drop on WAN
in), dnsmasq (DHCP only — AdGuard Home keeps :53 for DNS), and sysctl
IP forwarding. NetworkManager is forced off on this host.

Port forwards live in ports.toml at the repo root and are imported via
builtins.fromTOML. Supports single ports, ranges ("26901-26902"), and
"both" protocol. Initial forwards: 22, 80, 443, 26900, 26901-26902.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-24 09:48:38 +01:00
a825e36e2e Make AdGuard settings authoritative; add busybox; drop fallback DNS
- services/adguard.nix: mutableSettings = false so Nix config overrides
  UI-made changes on rebuild (settings are the source of truth)
- common.nix: add busybox for its collection of handy utilities
- common.nix: remove networking.nameservers — DNS now comes purely from
  per-host NetworkManager config (AdGuard as the only resolver, no leaks)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-22 19:57:55 +01:00
919c991e3d Add AdGuard Home for network-wide DNS ad blocking
New services/adguard.nix runs AdGuard Home on the mediaserver with DoH
upstreams (Cloudflare + Quad9) and three default blocklists. DNS listens
on :53; web UI on 127.0.0.1:3000, reverse-proxied at adguard.nordhammer.it.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-22 13:40:30 +01:00
c05f986e1c Add 7 Days to Die dedicated server container; drop V-Rising
Enables the previously-disabled game-servers module with a new 7DTD
container (vinanrra/7dtd-server) on ports 26900 TCP + 26900-26902 UDP.
A oneshot systemd service waits for LGSM's first install to drop
sdtdserver.xml, then patches in the server name, password, and
random-gen world before restarting the container. V-Rising is removed
— the module hadn't been imported, so this just drops dead code.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-17 22:28:49 +01:00
f57c6e99ec Add Last Update widget to Homepage via record-update script
record-update parses nvd diff after switch and writes latest.json;
Homepage polls a local-only nginx listener and renders date/changes/
closure/kernel via a customapi widget.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-16 20:58:19 +01:00
df227ad173 Revert "Add Tdarr transcoding manager for bulk H.264→HEVC conversion"
This reverts commit 91c437de6d.
2026-04-15 10:23:28 +01:00
91c437de6d Add Tdarr transcoding manager for bulk H.264→HEVC conversion
Runs Tdarr server with internal node on the mediaserver for managing
library-wide re-encoding to save disk space. Web UI at tdarr.nordhammer.it.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-15 10:17:09 +01:00
e1f073969b Fix reboot alias auth prompt and minor formatting
Add sudo to reboot alias so it doesn't prompt for password.
Add blank line before networking.hostName in hardware config.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-15 09:23:12 +01:00
a109d5a5c7 Disable game servers while not in use
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-14 22:10:20 +01:00
8aa7beccd6 Re-enable all services after secret migration to new server
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-14 21:59:18 +01:00
5b12b59654 Temporarily disable game servers for server migration
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-14 16:05:16 +01:00
3c8d5678b0 Temporarily disable services requiring secrets for server migration
Commented out nginx, go2rtc, cloudflare-ddns, fail2ban, and authelia
until secrets are migrated to the new server hardware.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-14 16:03:50 +01:00
25189a0d99 Skip matugen in update alias when not installed
Guard matugen call with command -v check so the update alias
works on hosts without GNOME/matugen (e.g. mediaserver).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-14 09:44:00 +01:00
effa5e5cbb Add wallpaper-based color theming with matugen
- Matugen templates for Ghostty theme and GTK4 colors
- Ghostty uses generated wallpaper theme instead of Catppuccin
- GTK4 CSS imports generated color overrides
- Update alias runs matugen after switch to regenerate colors
- Add wallpaper fish function to change wallpaper + regen colors

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-13 19:56:38 +01:00
7a6ee02360 Forward arguments through update alias to nixos-rebuild
Allows passing flags like --refresh to both build and switch steps.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-13 19:43:32 +01:00
e19c03bda6 Fix update alias for fish compatibility
Wrap in bash -c since fish doesn't support bash variable
assignment syntax in aliases.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-13 11:48:27 +01:00
e156d79862 Show nvd package diff after switch completes
Saves the old system path before switching so nvd can compare
old vs new after everything else finishes.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-13 11:47:06 +01:00